Vincero DMS is live.
Vincero

Legal

Privacy Policy

Last updated: 30 May 2026

1. Who we are

Vincero Limited(“Vincero”, “we”, “us”) is a New Zealand registered company (NZBN 9429053636706, company number 9425676) building software for New Zealand vehicle dealers. Our registered office is 94 Falsgrave Street, Waltham, Christchurch, 8011, New Zealand.

This policy explains how we collect, use, store, and share personal information. We follow the New Zealand Privacy Act 2020 and the 13 Information Privacy Principles (IPPs) it sets out.

2. Which products this policy covers

This policy applies to all current Vincero products:

  • Vincero DMS (web), our Dealer Management System for tracking vehicle stock, customers, test drives, and sales. Used by dealer staff on a laptop or desktop browser.
  • Vincero DMS (iOS app), the same DMS, on iPhone, for use on the yard. Pairs with the web DMS to share data in real time.
  • Vincero Inbox, a multi-channel inbox (email, SMS, web chat, phone) for dealerships to manage conversations with prospective customers.

The personal information we hold belongs to two groups:

  • Dealer staff, people who work at a dealership and use Vincero directly (salespeople, managers, owners). They sign in with an email address and use the product day-to-day.
  • Dealer customers, members of the public who buy or test-drive a vehicle from a Vincero-using dealership, or who message the dealership about a vehicle. Their contact details, identification documents (e.g. driver licence), sale agreements, and conversation history are stored in Vincero so the dealership can serve them.

For dealer customers, the dealership is the agency that collected the information directly. Vincero processes that information on the dealership's behalf as a service provider.

3. What we collect

From dealer staff (all products): name, email address, phone number, role, the dealership they work for, and audit logs of actions taken in the product (which screens were viewed, which records were edited, when).

From dealer customers, via the dealership (DMS): name, email address, phone number, physical address, driver licence number and a photograph of the licence (when scanned for test-drive identification), vehicle trade-in details, and signed sale agreements (VOSA, Consumer Information Notice, wholesale invoices).

From dealer customers, via the dealership (Inbox): name, email address, phone number, and the content of messages exchanged with the dealership across email, SMS, web chat, or phone. Where calls are recorded, the recording itself and a transcript of it.

Vehicle inventory data (DMS): photos of vehicles the dealership has in stock, technical specifications, pricing, status history, and ownership/finance information relevant to sale.

Third-party vehicle records (DMS, on dealer request):when a dealer enters a number plate or VIN, we fetch matching vehicle records from NZTA (via CarJam) and run security-interest checks on the Personal Property Securities Register (PPSR). The result is stored against the vehicle on the dealer's account.

Device diagnostics (iOS app): anonymous crash reports if the app crashes, stack traces, OS version, device model. We do not collect device identifiers that could be used to track you across apps.

We do not knowingly collect information from people under 16.

4. Why we collect it

  • To operate the DMS, manage vehicle stock, record test drives, verify customer identity for test drives, generate sale documents, and maintain an audit trail as required by the Motor Vehicle Sales Act 2003.
  • To operate the Inbox, receive customer messages, route them to the right salesperson, allow the dealership to respond, and keep a record of the conversation.
  • To meet legal obligations: the Motor Vehicle Sales Act 2003 (sales records), the Consumer Guarantees Act 1993 (Consumer Information Notice), and the Unsolicited Electronic Messages Act 2007 (SMS opt-out, where applicable).
  • To improve the product (anonymous, aggregated usage signals only, we do not read message content or customer records for product development).
  • To investigate abuse or security incidents.

We do not use any of this information for advertising, profile building, or tracking across apps or websites.

5. Who we share it with

We use third-party service providers to run Vincero. They process information on our behalf, under contract, only for the purposes we set:

  • Supabase (database, authentication, file storage for vehicle photos and licence images), hosted in Sydney, Australia.
  • Vercel (application hosting for the DMS web app and marketing site), global edge network, primary region Sydney.
  • CarJam Limited(NZ), when a dealer looks up a plate or VIN in the DMS, we query CarJam's API for matching NZTA vehicle records and PPSR security-interest results. CarJam relays the request to NZTA and the Personal Property Securities Register (MBIE) on our behalf.
  • Apple Inc., for distribution of the iOS app via the App Store, and for standard iOS crash reporting. No personal information beyond an anonymous crash diagnostic is sent to Apple.
  • Resend (email delivery), for transactional email such as sale-link emails to customers, plus inbound and outbound Inbox email.
  • Google LLC(Gemini API), when a dealer scans a number plate or the front of a driver licence with the iOS app camera, we send the image to Google's Gemini OCR service to extract the text. Images are processed in real time and are not retained by Google for model training.
  • SMS and voice provider (to be confirmed, Inbox only), for SMS inbound/outbound and call forwarding/recording when these channels launch.

We do not sell personal information to anyone, ever. We do not share it with advertisers. We do not use it for tracking across other apps or websites.

We will disclose information if compelled by New Zealand law (a court order or lawful information request).

6. Where it's stored

Personal information is stored on Supabase infrastructure in Sydney, Australia. Australia is recognised by the New Zealand Office of the Privacy Commissioner as having a comparable privacy regime under IPP 12 (cross-border disclosure).

Some processing happens at edge locations (Vercel) in the course of serving the application; this processing is transient and no personal information is retained at the edge.

7. How long we keep it

  • While a dealership is an active customer: for as long as the dealership uses Vincero, plus as long as required to meet legal obligations (e.g. tax records, audit trails).
  • After a dealership closes its account: we delete or anonymise their data within 30 days, except where a legal obligation requires us to keep it longer.
  • Backups: deleted data may persist in encrypted backups for up to 90 days before being purged.

8. Your rights

Under the Privacy Act 2020 you have the right to:

  • Ask what personal information we hold about you (Information Privacy Principle 6).
  • Ask us to correct it if it's wrong (IPP 7).
  • Ask us to delete it if we no longer need it.
  • Withdraw consent for marketing or non-essential communications at any time.
  • Complain to us, or to the NZ Office of the Privacy Commissioner if you're unhappy with our response.

To exercise any of these rights, email us at hello@vincero.co.nz. We will respond within 20 working days as required by the Privacy Act.

9. SMS and the right to opt out

Where Vincero sends SMS on behalf of a dealership, the dealership has a relationship with the recipient (typically the recipient messaged the dealership first). Every commercial SMS includes an opt-out instruction (e.g. “Reply STOP to opt out”).

Replying STOP, UNSUBSCRIBE, or similar to any Vincero-sent SMS will result in the dealership not sending further SMS to that number, in line with the Unsolicited Electronic Messages Act 2007.

10. Cookies and analytics

The Vincero web applications use essential cookies for sign-in sessions. We do not use third-party advertising cookies. We use minimal first-party analytics to understand product usage in aggregate; no individual tracking.

The Vincero iOS app does not use advertising identifiers or cross-app tracking. App Store Connect provides Apple with anonymous, aggregated install and crash metrics; we receive these as totals only.

11. iOS app device permissions

The Vincero iOS app asks for the following device permissions. Each permission is used only for the purpose described, and you can revoke any of them at any time in iOS Settings.

  • Camera, used to photograph number plates for plate-scan autofill, to scan the PDF417 barcode on the back of a NZ driver licence for test-drive identity verification, and to add photos of vehicles to the inventory.
  • Photo Library, used to attach existing photos (taken outside the app) to a vehicle record.

Photos and licence scans are uploaded to our Supabase storage buckets, scoped to the dealership's account. Plate and licence-front images are also sent to Google's Gemini OCR service in real time for text extraction (see section 5).

12. Security

We follow industry-standard practices: encryption in transit (HTTPS), encryption at rest (managed by Supabase), strong authentication, and least-privilege access for staff. No system is completely secure; if a breach affecting your information occurs, we will notify you and the Office of the Privacy Commissioner as required by the Privacy Act.

13. Changes to this policy

We may update this policy as the product evolves. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated to active users by email.

14. Contact us

For any privacy question, complaint, or request, email hello@vincero.co.nz. You can also write to us at our registered office: 94 Falsgrave Street, Waltham, Christchurch, 8011, New Zealand.

If you're not satisfied with our response, you can contact the New Zealand Office of the Privacy Commissioner at privacy.org.nz.